Antivirus Software

Antivirus software has (understandably) become so popular that nearly every organization requires its use on all its desktop and server systems. Many manufacturers and integrators of personal computers sold at retail include an antivirus program as standard equipment. Antivirus software on new computers is almost as common as seat belts and air bags on new cars.

Antivirus software (commonly known as AV software) operates by intercepting operating system routines that store files and open files. The AV software compares the contents of the file being opened or stored against a list of virus signatures. If the AV software detects a virus, it prevents the file from being opened or saved, usually alerting the user via a pop-up window (which is like a high-tech jack-in-the-box). Enterprise versions of the AV software send an alert to a central monitoring console so that the company’s antivirus bureau is alerted and can take evasive action if necessary.

While the number of viruses grows, the antivirus software vendors provide a way for users to update their AV software’s list of signatures so that they can defend against the latest viruses. AV software automatically contacts the AV vendor’s central computer and downloads a new signature file if the vendor’s version is newer than the user’s. Enterprise versions of AV software can now push new signature files to all desktop systems and even invoke new scans in real time. AV software now commonly looks for updates one or more times per day.

Heuristics

AV software’s new problem is that tens of millions of known viruses have been developed, and over a million are in circulation today. Thus AV software vendors are considering a new approach called heuristics to defend against viruses: The AV software detects certain kinds of anomalous behavior (for instance, the replacement of an .exe file with a newer version) instead of using the tedious method of checking all the virus signatures. Most AV products today use both the signature method and heuristics for detecting viruses; everyone (except the virus writers) hopes that someday heuristics become the primary method for virus detection.

Heuristics can solve a number of problems:

Conservation of space: While the number of viruses grows, signature files grow ever larger, taking more time to download and consuming more space on systems. You don’t really have to worry about file size when PC hard drives cost less than $5 per gigabyte, but AV software is making its way onto resource-limited personal digital assistants (PDAs), smartphones, and other lightweight devices that can’t store tens of thousands of virus signatures.

Decreased download time: The rate of virus creation means that you need to download signature files more and more frequently. (Pretty soon, it seems, the Internet will have enough capacity to support only AV signature-file downloads, Facebook, Twitter, YouTube, and porn sites.)

Improved computer performance: Rather than constantly comparing messages to increasingly larger signature files, the computer’s defenses are focused on symptoms rather than if a document does or does not possess a virus signature.

AV popping up everywhere

You can find antivirus software on more than just PC desktops. You also run across it on e-mail servers that scan attachments, as well as on web proxy servers, file servers, and application servers. Even firewalls and spam blockers are getting into the act.

Antivirus software is available for UNIX systems, too, but ironically, the UNIX versions check for PC viruses (not UNIX viruses). Why put antivirus software on UNIX systems? Well, often UNIX systems are used as file servers (with Samba) or web servers — which makes them part of the information conduit between PCs, so why not try to block viruses there, too?